{"id":18419786,"url":"https://github.com/telia-oss/concourse-sts-lambda","last_synced_at":"2025-09-10T05:37:31.663Z","repository":{"id":57592459,"uuid":"122051303","full_name":"telia-oss/concourse-sts-lambda","owner":"telia-oss","description":"Lambda function for dynamic STS credentials in Concourse (using assumed roles)","archived":false,"fork":false,"pushed_at":"2023-10-11T21:05:45.000Z","size":1498,"stargazers_count":8,"open_issues_count":4,"forks_count":11,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-06-18T03:02:54.448Z","etag":null,"topics":["aws","concourse","lambda","sts"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/telia-oss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-19T11:09:12.000Z","updated_at":"2023-07-25T14:15:07.000Z","dependencies_parsed_at":"2024-06-20T12:05:16.632Z","dependency_job_id":"467834ec-21ab-429e-bdf5-d37e9298a0a9","html_url":"https://github.com/telia-oss/concourse-sts-lambda","commit_stats":null,"previous_names":["teliasoneranorge/concourse-sts-lambda"],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/telia-oss/concourse-sts-lambda","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fconcourse-sts-lambda","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fconcourse-sts-lambda/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fconcourse-sts-lambda/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fconcourse-sts-lambda/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/telia-oss","download_url":"https://codeload.github.com/telia-oss/concourse-sts-lambda/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fconcourse-sts-lambda/sbom","scorecard":{"id":873260,"data":{"date":"2025-08-11","repo":{"name":"github.com/telia-oss/concourse-sts-lambda","commit":"3ac19974b087bb6a6792960b6e0ee7df5043be42"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.2.0 not signed: https://api.github.com/repos/telia-oss/concourse-sts-lambda/releases/29272320","Warn: release artifact v1.1.0 not signed: https://api.github.com/repos/telia-oss/concourse-sts-lambda/releases/29269532","Warn: release artifact v1.0.0 not signed: https://api.github.com/repos/telia-oss/concourse-sts-lambda/releases/19256678","Warn: release artifact v0.10.0 not signed: https://api.github.com/repos/telia-oss/concourse-sts-lambda/releases/16785406","Warn: release artifact v0.9.1 not signed: https://api.github.com/repos/telia-oss/concourse-sts-lambda/releases/14954155","Warn: release artifact v1.2.0 does not have provenance: https://api.github.com/repos/telia-oss/concourse-sts-lambda/releases/29272320","Warn: release artifact v1.1.0 does not have provenance: https://api.github.com/repos/telia-oss/concourse-sts-lambda/releases/29269532","Warn: release artifact v1.0.0 does not have provenance: https://api.github.com/repos/telia-oss/concourse-sts-lambda/releases/19256678","Warn: release artifact v0.10.0 does not have provenance: https://api.github.com/repos/telia-oss/concourse-sts-lambda/releases/16785406","Warn: release artifact v0.9.1 does not have provenance: https://api.github.com/repos/telia-oss/concourse-sts-lambda/releases/14954155"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"17 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0391 / GHSA-6jvc-q2x7-pchv / GHSA-76wf-9vgp-pj7w","Warn: Project is vulnerable to: GO-2022-0635 / GHSA-7f33-f4f5-xwgw","Warn: Project is vulnerable to: GO-2022-0646 / GHSA-f5pg-7wfw-84q9","Warn: Project is vulnerable to: GO-2022-0236 / GHSA-h86h-8ppg-mxmh","Warn: Project is vulnerable to: GO-2021-0238 / GHSA-83g2-8m93-v3w7","Warn: Project is vulnerable to: GO-2022-0288","Warn: Project is vulnerable to: GO-2022-0969 / GHSA-69cg-p879-7622","Warn: Project is vulnerable to: GO-2022-1144 / GHSA-xrjj-mj9h-534m","Warn: Project is vulnerable to: GO-2023-1571 / GHSA-vvpx-j8f3-3w6h","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2022-0493 / GHSA-p782-xgp4-8hr8"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-24T04:57:51.498Z","repository_id":57592459,"created_at":"2025-08-24T04:57:51.498Z","updated_at":"2025-08-24T04:57:51.498Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274417408,"owners_count":25281108,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-10T02:00:12.551Z","response_time":83,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","concourse","lambda","sts"],"created_at":"2024-11-06T04:18:23.115Z","updated_at":"2025-09-10T05:37:26.647Z","avatar_url":"https://github.com/telia-oss.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"## concourse-sts-lambda\n\n[![Build Status](https://travis-ci.org/telia-oss/concourse-sts-lambda.svg?branch=master)](https://travis-ci.org/telia-oss/concourse-sts-lambda)\n\nLambda function to rotate AWS credentials used by Concourse teams. See \nthe terraform subdirectory for an example that should work (with minimal effort).\n\n### Why?\n\nOur CI/CD (in our case Concourse) needs AWS credentials to deploy Terraform\ntemplates. Since we are sharing workers between teams, the instance profile\nitself has no privileges. And so, we need to pass in credentials to the tasks \nwhich require them.\n\nInstead of having individual teams being responsible for their CI credentials,\nwe can use this Lambda function to write temporary credentials to a specific teams\nConcourse secrets, for one or more accounts.\n\n### How?\n\nIn short:\n\n1. This Lambda function is deployed to the same account as our Concourse.\n2. Individual accounts add a CI role with the Lambda functions execution role\nas a trusted entity.\n3. A team adds a CloudWatch event rule with the configuration for which\naccounts they need access to.\n4. Lambda assumes the roles specified in the configuration and rotates \nthe temporary AWS credentials for said team on a 50min schedule.\n5. ???\n6. Profit.\n\n### Usage\n\nBe in the root directory:\n\n```bash\nmake release\n```\n\nYou should now have a zipped Lambda function. Next, edit [terraform/example.tf](./terraform/example.tf)\nto your liking. When done, be in the terraform directory:\n\n```bash\nterraform init\nterraform apply\n```\n\nNOTE: The `aws/secretsmanager` KMS Key Alias has to be created/exist before the lambda is deployed.\n\n### Team configuration\n\nExample configuration for a Team (which is then passed as input in the CloudWatch event rule):\n\n```json\n{\n  \"name\": \"example-team\",\n  \"accounts\": [{\n    \"name\": \"divx-lab\",\n    \"roleArn\": \"arn:aws:iam::123456789999:role/machine-user-example\"\n  }]\n}\n```\n\nYou can also optionally specify the duration the sts assume role call should use:\n\n```json\n{\n  \"name\": \"example-team\",\n  \"accounts\": [{\n    \"name\": \"divx-lab\",\n    \"roleArn\": \"arn:aws:iam::123456789999:role/machine-user-example\",\n    \"duration\": 7200\n  }]\n}\n```\n\nNote: [Role chaining](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) has a limit on duration to be maximum 1 hour.\n\nWhen the function is triggered with this input it will assume the\n`roleArn`, and write the credentials to (by default):\n\n- `/concourse/example-team/divx-lab-access-key`\n- `/concourse/example-team/divx-lab-secret-key`\n- `/concourse/example-team/divx-lab-session-token`\n\nNote that you can have multiple accounts, in which case the account\nname must be unique to avoid overwriting the secrets in Secrets manager.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelia-oss%2Fconcourse-sts-lambda","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftelia-oss%2Fconcourse-sts-lambda","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelia-oss%2Fconcourse-sts-lambda/lists"}